Tag: network

Graphical Network Simulator

I have been working with GNS3 (Graphical Network Simulator) in some of my classes.  It is a fine tool with which one can build simulated computer networks using various routers and switches.  The software program itself is free, however, the Cisco IOS images are not included and must be found elsewhere due to copyright issues.  This detail is a bit of a pain, but not too bad.  Once the program is set up and the appropriate IOS images are loaded, the console functions exactly like whatever router is being simulated.  This includes running whichever terminal program is preferred, e.g. hyperthermia, putty, or if using the Linux version, x-term, etc.

GNS3 screen shot, topology and router console
GNS3 screenshot, topology, and router console

The advantages to this over something like Cisco’s Packet Tracer program are many.  In Packet Tracer, certain functions are locked out and generally there is only one acceptable way to complete any given task.  With GNS3, the IOS is fully functional, which means that experimentation and failure are available to play with.  Failure is a great way to learn things in any hands-on environment.  The advantage of virtual failure is that only you know about it.

For real-world applications, this means that router and switch configurations can be created, tested, and tuned ahead of time and then loaded into working devices, saving downtime and potentially handfuls of hair.

A few things about using GNS3, the PC idle tuning is required.  Each instance of IOS assumes that the entire processor is available to use, thus starting several routers can work a PC’s processor to 100% and windows will never fully recover.  Secondly, when starting each router, wait 10 to 20 seconds before starting another one.  Again, this has to do with the way IOS uses processors.  Also, to save time, store the IOS image as a decompressed file.  This saves quite a bit of time on startup.  Finally, do not forget to copy the running config to startup-config.  Even though GNS3 says it is saving the router configs, it does not save the running config unless you issue the copy run start command, just like a real router.

Wireshark; what is it good for

Wireshark is a packet protocol analyzer that is free for download and runs on Windows, Linux, BSD, OS X, and Solaris.  In the evolving broadcasting studio, computer networks are the backbone of the facility. Not just on the office side of the house, but also on the broadcast origination side as well. Today, almost everyone uses some type of computer automation system running on a network. In addition, new technologies such as AoIP consoles, VoIP phone systems, audio and video routing, remote control, off-site monitoring, audio processing, etc continue to develop.  Because of this, more and more broadcast engineering work is falling into the computer and networking realm.

Like anything else, networks can fail.  Failure modes can originate from both the physical side, e.g. wiring, connectors, patch bays, network interface cards or the software/protocol side.  Being able to diagnose problems quickly and take remedial action is important.  On the networking side, if a physical problem has been ruled out, then the problem exists with a protocol.  That is where Wireshark becomes useful; it takes the guesswork out of networking protocol troubleshooting.

Wireshark packet protocol analyzer has the following features (from their website):

  • Deep inspection of hundreds of protocols, more are in development
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Versions available for Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and other OS
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • Filtering by protocol, IP address, MAC address, frame type, sequence number, etc
  • VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text

A few things to keep in mind with the physical connection.  Connecting a computer to a switch port will establish a collision domain between the switch port and the computer which is also called a network segment.  The computer NIC will see all traffic on that collision domain and all broadcast traffic on the network or sub-network that the switch is attached to.  If there is a suspected problem with a particular network segment, the Wireshark computer needs to join that collision domain.

Creating a network segment tap with a hub
Creating a network segment tap with a hub

This can be done most simply by installing Wireshark on the host in that domain. Alternatively, a hub can be used to add another host to the collision domain.  Or, if it is a managed switch, there may be a provision to send all traffic on the switch out of one designated port.  This is called ‘port mirroring’, ‘port monitoring’, ‘Roving Analysis’ (3Com), or ‘Switched Port Analyzer’ or ‘SPAN’ (Cisco).

Network diagram with managed switch
Network diagram with managed switch

A quick tutorial on what to look for when using Wireshark, Part A:

Part B:

And briefly, that is how it is done.  There are many more videos on youtube and elsewhere if interested in learning more.

Very basic network security for Broadcast Engineers

Most broadcast facilities have an engineering department or service and an IT department or service which are separate.  There is often a fuzzy line between what machines belong strictly to engineering and what belongs to IT.  There are several different systems that have network interfaces but are not generally considered computers and fall squarely in the engineering department.  These include such equipment as transmitters, satellite receivers, EAS machines, IP-based audio routers and audio consoles, and IP audio CODECS.  In many cases, windows based automation systems and servers also fall under the responsibility of the engineering department.

As the recent incidents of network intrusions into vulnerable EAS machines show, after installation, steps must be taken to secure networked equipment from malicious or accidental intrusions.  The aforementioned EAS intrusion was bad but it could have been much worse.

Anything with a network interface can be exploited either internally or externally and either by purpose or accident.  The threat plan looks like this:

Computer network intrusion plain
Computer network intrusion plain

Every unauthorized network access incident falls somewhere on this plain.  An unauthorized network intrusion can be as simple as somebody using the wrong computer and gaining access to back-end equipment.  It can also be the hacker or cracker from a foreign country attempting to breach a firewall.

Basic network security falls into these categories:

  1. Physical security of machine or server room
  2. Security against internal accidental or malicious use
  3. Security against external intrusion
  4. Protection against malicious software exploitation

The first category is the easiest to understand.  Physical security means securing the server room through locking doors and preventing crawl-over/under entries.  Security cameras and monitoring are also a part of physical security.  Something that is often neglected is extended networks that bridge to transmitter sites.  Non-maned off site facilities that have network access are vulnerable points if multiple clients or tower tenants have access to the same room.  Locked equipment racks and video cameras are two ways to secure non-maned transmitter sites.  Also, when using good quality, managed switches at transmitter sites, switch port security features can be enabled, and unused switch ports shut down.

Accidental or malicious internal intrusions can be reduced or eliminated with proper password policies.  The first and most important password policy is to always change the default password.  There are lists of default routers and switch passwords available online.  The default passwords for EAS machines and other equipment is published in owner’s manuals and most broadcast engineers know them by heart.  Always change the default password, if you do nothing else, do this.

no-default-password

Other password policies include such things as minimum password length, requiring special characters, numbers and both upper and lower case letters.  Even taking those steps, passwords are still vulnerable to dictionary attacks.  To prevent a dictionary attack, the login attempts should be limited to five or so with a thirty minute freeze out after the attempt limit is reached.

External intrusion can come from a number of different sources.  Unsecured WIFI is the easiest way to gain access to a network.  Always secure WIFI with WPA or WPA2 AES encrypted pre-shared key.  This will keep all but the most determined intruders out.  Other external threats can come from man in the middle attacks.  IP bridges and WIFI must always be encrypted.

External attacks can also come over the wired network.  Most small routers have default network and password settings.  I have started moving away from using 192.168 internal networks.  Router firewalls and personal software firewalls are effective but not foolproof.  Software updates need to be performed regularly to be effective.  One recently discovered exploit is UPnP, which is enabled on many home and small office routers.  UPnP (Universal Plug-n-Play) SSDP (Simple Service Discovery Protocol) can be exploited of exposed to the public network side of the router.  ShieldsUP! by Gibson Research Corporation is a good evaluation tool for router exploits, leaks and phone homes.  They also have links to podcasts and youtube videos.

Disabling unused features on routers is a good security policy.  Features such as DHCP, DNS, SNMP, CDP, HTTP server, FTP server etc are all vulnerable to exploitation of one form or another.  Turning off those protocols that are not in use will eliminate at least a portion of those threats.

Finally, worms, bots, viruses and other malicious software can come from anywhere.  Even reputable websites now have drive-bys in linked advertizing banners.  Non-windows operating systems are less vulnerable to such programs, but not immune.   All windows machines and servers that are in anyway connected to the internet need to have updated antivirus software.  Keyloggers can steal passwords and send them to bad places where people have nefarious intent.

There are entire books, standards and upper level classes taught on network security.  This less than 1,000 word article barely brushes the surface, as the titles says, these are but a few very basic ways to implement a security policy.  It is important for technical managers and engineers to learn about, understand and implement security policies in broadcast facilities or suffer the consequences of complacency.

Pinouts

Over the years, I have collected many pinouts for all sorts of interfaces, connectors, jacks, etc.  These are all stored on my laptop and on my smartphone.  It is easy enough to look these things up online, however, there are occasions when the internet is not available for whatever reason.  Thus, this is my collection of pinouts, many of which have been adapted from Wikipedia articles.  Many times I put things here for my own use.  However, if I have spent ten minutes looking for the USB pin out on my smartphone, someone else has done the same thing.  Most of these images have higher resolutions available.

Enjoy!

EIA/TIA 568a and b ethernet cable standard
EIA/TIA 568a and b ethernet cable standard

Standard networking connectors for Ethernet connections. Rumor has it that only the “A” standard is accepted for government work and the “B” standard is being depreciated.

803.3af Power over Ethernet, imposed on EIA/TIA 568 a and b
803.3af Power over Ethernet, imposed on EIA/TIA 568 a and b

Power over Ethernet pinouts. More and more commonly used in VOIP phone systems, but can also be found in wireless access points and other things of that nature.

10/100 base T cross over cable
10/100 base T cross-over cable

Ethernet crossover cables are useful for connecting to similar pieces of equipment together, e.g. a computer to a computer, or a switch to a switch. Many new switches have port sensing, which will automatically cross the connection if a straight through cable is used.  Others have a specific port or a switch for a specific port which will cross over the cable.  Gigabit Ethernet uses all four pairs, thus a 1000 base T crossover looks a little bit different.

10/100/1000 base T Ethernet crossover cable
10/100/1000 base T Ethernet crossover cable

This type cable is backwards compatible with 10/100 base T systems.

Registered Jack 11/14/25
Registered Jack 11/14/25

Telephone system equipment jacks.

Registered Jack (RJ) 48, commonly used on T-1 and ISDN circuits
Registered Jack (RJ) 48, commonly used on T-1 and ISDN circuits

RJ48 and 48X used on T-1 (DS-1) and ISDN connections.  Since BRI and PRI ISDN are two wire circuits, the active pins are 4/5, which is the same as an RJ11.  I have often used RJ11 jacks for ISDN and found no issues with doing so.

T-1 (DS-1, DSX-1) crossover cable
T-1 (DS-1, DSX-1) crossover cable

Crossover cable for T-1 (DS-1 or DSX-1 interface). Note, this is different from an Ethernet crossover cable, which will not work for in a DS-1 interface.  A T-1 loopback connector goes from pin 1 to pin 4 and pin 2 to pin 5 on a 8P8C connector.

RJ21 and 21X color code.
RJ21 and 21X color code.

RJ21 and 21X connectors are often found on the side of punch blocks and make for quick connections on cabling trunks.

25 pair color code
25 pair color code

The generic 25 pair color code, which is always a good thing to have.

RS-232 data pins out for various connectors
RS-232 data pins out for various connectors

RS-232 is still commonly used for data transfer in broadcast facilities. RS-485 is also used, however, that standard is often used with screw terminals or some other generic connection.

Null modems, cables and pinouts
Null modems, cables and pinouts

Null modems for connecting equipment together and testing.

Universal Serial Buss (USB) connections and pinouts
Universal Serial Buss (USB) connections and pinouts

Various USB connectors and pinouts. USB has replaced RS-232 data ports on most newer computers.

VGA connector and pinout
VGA connector and pinout

Computer graphics card pinouts.

Computer Parallel port pinout
Computer Parallel port pinout

Computer parallel port pinout, not used very much anymore, replace by mostly USB devices. Can also be used as a limited GPI/GPO interface.  Some small automation software programs use pins 10,11,12,13 and 15 for closure information and pins 1, 14, 16, and 17 for output switching, machine starts and the like.

PS2 mouse and keyboard connector
PS2 mouse and keyboard connector

PS2 mouse and keyboard connectors, again, replaced by USB but still found on older motherboards.

RJ-45 to balanced analog and digital audio
RJ-45 to balanced analog and digital audio

RJ-45 to balanced audio. This is a fairly standardized audio application for RJ-45 connectors developed by Radio Systems/Studio Hub. It is also used by Telos/Axia and Wheatstone, although often the +/- 15 VDC power is not included.

XLR connectors, old technology, still used
XLR connectors, old technology, still used

The ubiquitous XLR connector, still used for analog audio and also AES/EBU digital audio.